Tuesday, March 19, 2013

5 more dirty tricks: Social engineers' latest pick-up lines

5 more dirty tricks: Social engineers' latest pick-up lines

From a new twist on tech support to playing the odds with a large number of desperate job seekers, today's social engineers are getting very specific in their plans to manipulate their marks

by Joan Goodchild, Senior Editor, CSO

September 26, 2011

You may now be savvy enough to know that when a friend reaches out on Facebook and says they've been mugged in London and are in desperate need of cash, that it's a scam. But social engineers, the criminals that pull off these kinds of ploys by trying to trick you, are one step ahead.

What that means is they may need to do more work to find out personal information, and it may take longer, but the payoff is often larger.

"Attacks now are not just a broad spam effort, sending out a million emails with an offer for Viagra," said Hadnagy. "These are now individual attacks where they are going after people one by one."

Here are five new scams circulating that employ much more individual involvement.

"This is Microsoft support —we want to help"

Hadnagy says a new kind of attack is hitting many people lately. It starts with a phone call from someone claiming to be from Microsoft support, calling because an abnormal number of errors have been originating from your computer.

"The person on the other end says they want to help fix it because there is a bug and they have been making calls to licensed Windows users," explained Hadnagy. "All of the pretext makes sense; you are a licensed Windows user, you own a machine with Windows on it and she wants to prove it to you."

The caller tells the victim to go to the event log and walks them through the steps to get to the system log.

"Every Windows user will have tons of errors in the event log, simply because little things happen; a service crashes, something doesn't start. There are always errors," said Hadnagy. "But when a non-experienced user opens it up and sees all these critical errors, it looks scary."

At that point, the victim is eagerly ready to do whatever the alleged "support" person wants them to do. The social engineer advises them to go to Teamviewer.com, a remote-access service that will give them control of the machine.

Once the social engineer has access to the machine through Teamviewer, they then install some kind of rootkit or other kind of malware that will allow them to have continual access, said Hadnagy.

"Donate to the hurricane recovery efforts!"

Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, Hadnagy says a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.

In this example, Hadnagy says about 8-10 hours after the incident occurs, web sites pop up claiming to help find those who may have been lost in the disaster. They claim to have access to government data bases and rescue effort information. They typically don't ask for financial information, but do require names, addresses and contact information, such as email and phone numbers.

"While you're waiting to hear back about the person you are seeking information on, you get a call from a charity," said Hadnagy. "The person from the charity will often strike up a conversation and claim to be collecting contributions because they feel passionate about the cause as they have lost a family member in a disaster. Secretly, they know the victim they've contacted has lost someone, too, and this helps build up a camaraderie."

Touched by the caller, the victim then offers up a credit card number over the phone to donate to the alleged charity.

"Now they have your address, your name, relative's name from the web site and also a credit card. It's basically every piece they need to commit identity theft," said Hadnagy.

Hadnagy has also heard of criminals who then go on to launch secondary attacks to obtain even more sensitive information, such as placing a call posing as a banking representative to verify the charity donation is legitimate and asking for the victim's social security number "for verification purposes."

"About your job application..."

Both job seekers and head-hunting organizations are being hit by social engineers who know they are looking for employment or seeking new employees.

"In both directions, this is a dangerous one," said Hadnagy. "Whether you are the person looking for work or the company posting new jobs, both parties are saying 'I'm willing to accept attachments and information from strangers.'"

According to a warning from the FBI, more than $150,000 was stolen from a U.S. business via unauthorized wire transfer as a result of an e-mail the business received that contained malware that resulted from a job posting.

"The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company," the FBI alert reads. "The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses."

Malicious attachments have become such a problem that many organizations now require job seekers to fill out an online form, rather than accept resumes and cover letters in attachment, said Hadnagy. And the threat for job seekers of receiving a malicious message from a social engineer is high, too, he said. Many people now used LinkedIn to broadcast that they are looking for work, a quick way for a social engineer to know who is a potential target.

"This is one of those cases of what do you do?" he said. "People need to look for jobs and companies need to hire. But this is a time when more critical thinking is required."

Social engineers are taking the time to observe what people tweet about and using that information to launch attacks that seem more believable. One way this happening is in the form of popular hashtags, according to security firm Sophos. In fact, earlier this month, the U.K. debut of the new season of 'Glee' prompted social engineers to hijack the hashtag #gleeonsky for several hours. British Sky Broadcasting paid to use the hashtag to promote the new season, but spammers got ahold of it quickly and began embedding malicious links into tweets with the popular term.

"Of course, the spammers can choose to redirect you to any webpage they like once you have clicked on the link," said Graham Cluley, a senior technology consultant at Sophos in their Naked Security blog. "It could be a phishing site designed to steal your Twitter credentials, it could be a fake pharmacy, it could be a porn site or it could be a website harboring malware."

Twitter mentions are another way to get someone's attention. If the social engineer knows enough about what you're interested in, all they have to do is tweet your handle and add some information in that makes the tweet seem legitimate. Say you're a political wonk who is tweeting quite a bit about the GOP primary race lately. A tweet that mentions you, and points you to a link asking you what you think about Mitt Romney's latest debate statements can appear perfectly legitimate.

"I would expect we will see even more attacks like this in social media because of the way people click through these links," said Hadnagy.

"Get more Twitter followers!"

Sophos has also warned of services claiming to get Twitter users more followers. According to Cluley, you'll see tweets all over Twitter that says something like : GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME - [LINK]"

Clicking on the link takes the user to a web service that promises to get them many more new followers.

Cluley himself created a test account to try one out and see what would happen.

"The pages ask you to enter your Twitter username and password," reported Cluley in a blog post on the experiment. "That should instantly have you running for the hills - why should a third-party webpage require your Twitter credentials? What are the owners of these webpages planning to do with your username and password? Can they be trusted?"

Cluley also notes the service, in the bottom right hand corner, admits that they are not endorsed or affiliated with Twitter, and in order to use the service, you are required to grant an application access to your account. At that point, all assurances of security and ethical use are off, he said. Twitter itself even warns about these services on their help center information page.

"When you give out your username and password to another site or application, you are giving control of your account to someone else," the Twitter rules explain. "They may then post duplicated, spam, or malicious updates and links, send unwanted direct messages, aggressively follow, or violate other Twitter rules with your account. Some third-party applications have been implicated in spam behavior, fraud, the selling of usernames and passwords, and phishing. Please do not give your username and password out to any third-party application that you have not thoroughly researched."